Obstacles to Access

(0 = best, 25 = worst)

Limits on Content

(0 = best, 35 = worst)

Violations of User Rights

(0 = best, 40 = worst)

Key Developments: May 2012 – April 2013

A federal regulatory decision made on April 10, 2013 regarding vectoring technology and the prices charged for “last mile” access has the potential to further entrench the market dominance of the leading ISP, Deutsche Telekom (see Obstacles to Access).

A Federal Court of Justice decision in July 2012 placed greater liability on host providers, stipulating that once the provider is made aware of copyright-infringing material, they must take steps to prevent further instances of that material being uploaded to their platform (see Limits on Content).

In May 2012, amendments to the telecommunication act included a provision that would allow the government to define basic requirements for non-discriminatory data transfer and access with a view of safeguarding net neutrality. However, the government has not yet established any requirements (see Limits on Content).

Amendments to the telecommunication act also lowered the threshold for public agencies to access individual user data, including sensitive data such as name, address, date of birth, user passwords and dynamic IP addresses (see Violations of User Rights).

Introduction:

Germany has a high level of internet and mobile phone penetration, and only the adoption of high-speed broadband is lagging behind other highly developed countries. However, the fact that regulators are allowing the use of vectoring technology to further the development of superfast broadband internet has encountered criticism, given that this technology allows the largest internet service providers (ISPs) to maintain some of their market dominance.

While media and internet freedom principles are generally well-respected, legally codified, and have been repeatedly affirmed in Germany, certain trends over the past year have challenged these principles. In this respect, changes in online copyright enforcement legislation and practices are starting to limit the liability privilege of ISPs and host providers. Intermediaries are now required to implement specific filter and blocking systems in order to prevent further the infringement of copyright protected materials, which might also lead to undesirable private censorship as companies attempt to avoid this liability.

The struggle for net neutrality continues to be an ongoing issue of public debate in Germany. Amendments to the telecommunication act in May 2012 stipulated that the government could require ISPs to offer internet access in a content-neutral fashion, which would be a significant step toward net neutrality. However, the amendment does not automatically safeguard this principle; rather, it requires the government to take further action by defining the minimum quality standards with which ISPs must comply. Meanwhile, German telecommunications companies introduced revised customer contracts that have revived concerns about their non-transparent traffic management practices.

Against a broad coalition of societal actors, legislators also extended the scope of the “stored data inquiry” (Bestandsdatenauskunft) through the amended telecommunication act of 2013. Data protection experts criticize the lower threshold for intrusions of citizens’ privacy as disproportionate and are considering another constitutional complaint against the telecommunication act.

Obstacles to Access:

Germany’s network infrastructure for information and communication technologies is well-developed, with 76 percent of the population in Germany having private internet access. Together with the number of mobile-only internet users, this has resulted in an overall internet penetration rate of 85 percent, which is 10 percentage points above the European Union (EU) average.[1] However, growth in internet penetration is clearly slowing down, with figures increasing by only 2.5 percentage points in 2012 in contrast to increases of 5–6 points in the years before.[2] Also, few individuals who currently do not use the internet are planning to obtain access in the future.[3]

Internet connections in private homes are almost universal, with 93 percent of households having a broadband connection of at least 1 Mbps and only 5 percent still using slower dial-up connections.[4] The most widely used access technique is still DSL (82 percent), but cable internet connections are becoming more widespread (11 percent).[5] With regard to high-speed broadband connections, there is a remarkable gap between supply and demand. On the supply side, connections with more than 50 Mbps are available for about 55 percent of households.[6] On the demand side, adoption is lagging behind: only 9 percent of households actually subscribe to fast connections between 30 and 100 Mbps.[7] Regarding the take-up of connections of at least 10 Mbps, Germany is also lagging behind internationally with only 33 percent of households having such connections, in comparison to the EU average of 48 percent.[8] For this reason, the federal regulator has been criticized for supporting controversial vectoring technology instead of focusing on the roll-out of fiber-optic broadband.[9]

Mobile phone penetration in Germany is almost universal, with a penetration rate of over 132 percent.[10] The adoption of mobile internet access increased from 28 to 40 percent in early 2013,[11] which is rather slow by international standards.[12] While 72 percent of mobile internet users have additional landline access, mobile internet is the only form of internet access for almost a third of these users. This is reflected in a high share of smartphone users (45.1 percent)[13] and flat rate data contracts (77 percent).[14] While the availability of basic UTMS connections is good (85 percent of all German households), the coverage of fast LTE technology is still growing in Germany, with half of all households being covered.[15]

Apart from the overall number of subscribers, there have also been changes in the socio-demographic composition of internet users. While there are still more men than women accessing the internet in Germany (81 percent compared to 70.5 percent), the increase of female users compared to male users was slightly higher in 2012, resulting in a smaller gender-difference of 10.5 percentage points compared to 11.8 percent in 2011. Internet penetration is particularly high in the age group 40 and younger (94.1 percent) but, in comparison, relatively low in the age group 70 and above (28.2 percent).[16] However, it is worth noting that in the older cohorts there is the highest growth rates of internet usage; for example, the internet penetration of those older than 70 has increased by 3.6 percent since 2011.[17]

Differences in internet usage depending on formal education did not significantly change in the past year; therefore, the mismatch between people with low and high levels of formal education using the internet is still about 20 percent. This phenomenon is confirmed by a comparison of net household incomes. Households with less than €1,000 net income per month have a 54.2 percent penetration rate, whereas those with more than €3,000 net income have a penetration rate of 92.7 percent.[18] Furthermore, differences in internet usage exist between Germany's western region (78 percent) and the eastern region that once constituted the communist German Democratic Republic (70 percent). This difference decreased by one percent from 2011 to 2012.[19] Nevertheless, the gap in internet penetration between urban states like Hamburg, Berlin, and Bremen and rural states such as Lower-Saxony decreased from 16 percent in 2011 to only 13 percent in 2012.[20]

Prices for flat rate broadband internet have been relatively stable over recent years and now range from €20 to €40 ($26 to $53) which is regarded as affordable compared to the average income per household of €3,578, and ranks below average prices in OECD countries.[21] Nevertheless, as the stark differences in internet usage in relation to income indicate, the price level constitutes a barrier for people with low incomes and the unemployed. Although the Federal Court of Justice ruled that access to the internet is fundamental for everyday life, costs for internet access are not adequately reflected in basic social benefits.[22] Telecommunication services have become slightly less expensive, decreasing by 2.7 percent, [23] and the costs for mobile internet usage and telephones have decreased by 3.5 percent.[24]

The telecommunications sector was privatized in the 1990s with the aim of fostering competition. Over the past decade, market consolidation has led to a competitive environment dominated by large companies both in fixed-line as well as mobile internet access; consequently, several smaller ISPs have been forced out of business. The incumbent Deutsche Telekom's share of the broadband market is 45 percent. Other relevant ISPs are 1&1-United Internet and Arcor-Vodafone (each with 12 percent of the market), O2-Telefónica (9 percent), and cable companies Unity Media (8 percent) and Kabel Deutschland (6 percent).[25]

There are four general carriers for mobile internet access: T-Mobile, Vodafone, E-Plus, and O2- Telefónica. In 2012, T-Mobile regained its market leadership from Vodafone, gaining a 32 percent market share compared to Vodafone’s 30 percent. The smaller providers, E-Plus and O2-Telefónica, have been steadily gaining market shares, with 21 percent and 17 percent of the market, respectively.[26] The mobile market is seen as one of the most competitive in the EU,[27] though competition of mobile services in downstream markets is limited, since most German mobile providers contractually prohibit services such as Voice over Internet Protocol (VoIP) or even instant messaging.[28] The Body of European Regulators for Electronic Communications (BEREC) is investigating this widespread practice of carriers across Europe and discussing possible regulatory interventions.[29]

Internet access, both broadband and mobile, is regulated by the Federal Network Agency for Electricity, Gas, Telecommunications, Post, and Railway (Bundesnetzagentur or BNetzA) operating under the supervision of the Federal Ministry of Economics and Technology. The president and vice president of the agency are appointed for five-year terms by the German federal government, following recommendations from an advisory council consisting of 16 members from the German Bundestag and 16 representatives from the Bundesrat. The German Monopolies Commission and the European Commission (EC) have both criticized this highly political setting and the concentration of important regulatory decisions in the presidential chamber of the Federal Network Agency.[30] Similarly, the European Court of Justice (ECJ) and the EC noted that the regulation of data protection and privacy by agencies under state supervision does not comply with the EU Data Protection Directive 95/46/EC.[31]

In addition to such institutional concerns, regulatory decisions by the BNetzA have been criticized for providing a competitive advantage to Deutsche Telekom, the former state-owned monopoly.[32] The most recent examples are the agency’s decisions on April 10, 2013 to allow a slight increase in the price that Telekom charges competitors for the “last mile”[33] and to support controversial vectoring technology, which in turn manifests its dominant position regarding the last mile. Vectoring can boost the bandwidth of DSL connections on existing copper lines but requires one operator to manage the whole bundle, in effect limiting the unbundling of the local loop and thus privileging, under specific circumstances, the market leader.[34]

Limits on Content:

Blocking of websites or internet content rarely takes place in Germany.[35] In 2012-2013, there were no publicly known incidents of censorship directly carried out by state actors. Since there is also no significant filtering of text messages or e-mail communication, the overall scale and sophistication of censorship has remained stable and on a non-significant level. YouTube, Facebook, Twitter and international blog-hosting services are freely available.

Content blocking or filtering practices enforced by corporate actors have been discussed for some time. The ongoing dispute between YouTube and GEMA (German Society for Musical Performance and Mechanical Reproduction)[36] indicates that private entities substantially shape the availability of online content: 61.5 percent of the most popular music videos on YouTube are blocked in Germany.[37] Since 2009, YouTube has refused to pay for a license for copyright-protected music videos disseminated on its platform, and instead shows an error message saying that the video is not available in Germany because GEMA has not granted the publishing rights.[38] YouTube has also been legally required to remove protected content upon request under the breach of duty of care.[39] GEMA holds a de facto monopoly because it exercises rights exclusively and considers it a copyright violation when YouTube uses “the rights administered by GEMA without paying any compensation to the copyright owners,”[40] and consequently sues Google for damages.[41] Google has raised concerns about undesired harms for freedom of expression.[42] The issue is most likely to continue in the courts as both parties filed appeals in May 2012.[43]

In a few cases, private content regulation practices based on the enforcement of corporate terms of service were the subject of controversial public discussions. For example, in March 2013 a German radio host’s critical Facebook posts about the Catholic Church and the new pope’s attitude toward same-sex marriage were deleted by Facebook without offering any reasons or the possibility to restore the post.[44] The scale and scope of such practices remain non-transparent.

New evidence has confirmed that ISPs across Europe regularly use deep packet inspection (DPI) for the purposes of traffic management, but also to throttle peer-to-peer traffic. Users are especially affected by P2P-related restrictions in the mobile market.[45] In Germany, there is a clear lack of transparency regarding the scope of traffic management, particularly surrounding the use of DPI, since ISPs are not required to provide the public with such information.

While there is no systematic blocking and filtering of content by the state, instances of the courts or public authorities ordering the deletion of certain content have become common. In October 2012, the U.S.-based company Twitter complied with a request to close the account of a neo-Nazi group deemed illegal by German authorities.[46] Twitter did not delete the account but started to restrict access to it for German users only.[47] This action was the first application of Twitter's new policy, introduced in January 2012, to block content and accounts on a country-by-country basis in order to balance free speech principles with its compliance of local laws. The specific decision did not arouse much controversy in Germany, and has rather been regarded as a transparent way to minimize censorship.[48]

The autocomplete function of Google’s search engine has been repeatedly subject to scrutiny. In September 2012, Germany’s former first lady sued Google for defamation over suggested words. The lawsuit demanded that Google delete 85 suggested words, and furthermore, requested the deletion of search results indexing articles that cover the issue. Google partly complied by deleting eight of the 3,000 results from the index due to unlawful and false statements of fact.[49] Following a considerable history of court rulings,[50] in May 2013 the Federal Court of Justice, in a different case, ruled that Google could be held liable, at least under some circumstances, for the infringement of personal rights through its autocomplete function.[51]

There is no censorship prior to the publication of internet content. On the other hand, figures released by ICT corporations concerning the amount of content removal requests received from governments, public authorities, or copyright owners indicate that post-publication content removal is used extensively. Microsoft has started to report the numbers of removal requests on a country-by-country basis. Notably, none of those requests resulted in a disclosure of customer content.[52] According to Google’s latest transparency report covering the period from July to December 2012, the company received 231 requests from the German government and public authorities.[53] Based on absolute numbers, Germany ranks third on a list of 65 countries that issued requests for removal of content, following Brazil and the United States. To an unprecedented degree, requests were mandated by court orders (192 requests), most commonly for defamation reasons. The total number of items requested to be removed was 1,105. The most requested items to be removed were for defamation, adult content, and hate speech matters. German youth protection authorities have continuously requested the removal of content deemed to violate German youth protection legislation, especially videos on YouTube.[54]

The protection of minors constitutes an important legal framework for the regulation of online content.[55] Youth protection on the internet is principally addressed by states through the Interstate Treaty on the Protection of Human Dignity and the Protection of Minors in Broadcasting (JMStV), which bans content similar to that outlawed by the criminal code, such as the glorification of violence and sedition.[56] A controversial provision of the JMStV reflecting the regulation of broadcasting media mandates that adult-only content on the internet, including adult pornography, must be made available in a way that verifies the age of the user.[57] Compliance with the interstate agreement is supervised by the Commission for Youth Protection Relating to Media (KJM) and supported by a joint body, jugendschutz.net, which operates a hotline for complaints. Notably, the JMStV enables the blocking of content if other actions against offenders fail and if such blocking is expected to be effective. Offending websites hosted outside of Germany are put on blacklists that are made available for privately developed filtering software. Members of the self-regulatory body, Voluntary Self-control for Multimedia Service Providers (FSM), are committed to removing blacklisted websites from their search results. In February 2013, the Federal Minister of Family Affairs, Senior Citizens, Women and Youth, in cooperation with internet industry partners and jugendschutz.net, introduced a proxy server meant to ensure safer internet use for children.[58] The software is offered at no charge for individual download and is available for mobile devices as well as computers. Presently, two filtering software solutions for youth protection are officially approved by the KJM.[59]

The liability of platform operators for illegal content is regulated by the telemedia act. The law distinguishes between full liability for owned content and limited “Breach of Duty of Care” (Stoererhaftung) of access providers and host providers for third party content.[60] Although access and host providers[61] are not generally responsible for the content they transmit or temporarily auto store, there is a certain tension between the underlying principles of liability privilege and that of secondary liability.[62] Principally, ISPs are not required to proactively control or review the information of third parties on their servers; they become legally responsible as soon as they gain knowledge of violations or violate reasonable audit requirements.[63]

In 2012, court rulings limited the liability privilege of ISPs by further specifying requirements, responsibilities, and obligations. Notably, these have commonly occurred in relation to copyright enforcement online. In this respect, additional blocking and filter obligations of host providers have been put in more concrete terms by the Federal Court of Justice (Bundesgerichtshof, BGH) in the “Alone in the Dark” case.[64] In the specific instance, the game publisher Atari sued the file hosting service Rapidshare for copyright violations concerning the video game “Alone in the Dark.” Although the judges did not hold Rapidshare liable for a direct infringement, they saw a violation of the service’s monitoring obligation under the breach of duty of care. Once the file hosting service was notified of one infringing copy, the court said, it should have proactively controlled its service for other copies of the same material.[65] Hosting services are now supposed to implement technically and economically reasonable mechanisms in order to prevent any further violations of the respective copyright.

In addition to the mere deletion of relevant data, the court also deemed manual post-filtering by words and the control of external link collections technically reasonable. Depending on the current technical standard, automated control mechanisms can also be considered.[66] Furthermore, ISPs are obliged to disclose customer information for prosecutions of copyright infringement, even though the person may not have infringed copyrights for commercial purposes.[67] A special requirement to review the content on any violations of rights was also ruled in a case where a blogger integrated a YouTube video onto his website.[68] Whereas linking to other websites is regarded as unproblematic, embedding content, primarily videos from other sources, could cause liability risks for the provider.[69]

An important exception to the liability privilege concerns wireless networks.[70] Because of a highly disputable ruling against the existing liability privilege by the Federal High Court in 2010, legislative initiatives from states and political parties now seek to modify the secondary liability of local Wi-Fi operators.[71]

Content hosts have also been pursued for further investigations for opinions expressed by third parties on their platforms, as single cases indicate. In these cases, authorities have required platform owners to provide the real names of users who were prosecuted for defamation reasons. They even went so far as to search the editorial office of a newspaper, which was later ruled as being unlawful,[72] and to order a coercive detention for an online editor because he refused to provide the user’s name.[73] In the latter case, the editor invoked his right to refuse testimony and has appealed to the Federal Constitutional Court (Bundesverfassungsgericht, BVerfG).

The principle of proportionality has constitutional status in Germany to which public authorities must comply. All means taken by the state against its citizens must remain proportional to the ends pursued. The interplay between the Ministry of Justice, the national data protection officer, the association of internet service providers (Eco), and the internet community effectively hold the bodies involved accountable.

Court proceedings are generally public. While a comprehensive list of all content blocking or deletion orders is not available, the media generally covers such measures. One important exception in reporting concerns the indexes of internet services of the KJM and the Federal Review Board for Media Harmful to Young People (BpJM), which are kept secret.[74]

There is no systematic self-censorship in the German press; however, certain incidents signal that press companies are becoming more risk-averse when making decisions on the content they intend to publish through private app stores.[75] Furthermore, there are more or less unspoken rules reflected in the publishing principles of the German press.[76] The penalty code and the JMStV prohibit content in a well-defined manner (such as child pornography, racial hatred, and the glorification of violence). The JMStV also regulates adult content that is potentially harmful to minors, stipulating that content inappropriate for certain age groups must be regulated to prevent access by children or young persons.

While the degree to which political actors can successfully pressure online news outlets to exclude certain information from their reporting is still insignificant, there have at least been attempts to delete critical information on the internet. The German Bundestag asked a blog to delete an expert report on corruption among parliamentarians because of an alleged copyright infringement. The platform owner refused to do so without further consequences.[77] Additionally, the Federal Ministry of Defense has taken legal steps against a newspaper,[78] demanding that it delete a set of leaked mission reports covering Afghanistan operations of the federal armed forces (Bundeswehr), based on alleged copyright infringement.[79]

With the latest amendment of the telecommunications act (Telekommunikationsgesetz, TKG) enacted in May 2012, the principle of net neutrality has been legally codified (§ 41a TKG), but is still not entirely safeguarded.[80] The law authorizes the government to define basic requirements for non-discriminatory data transfer and content access, but it does not require the government to take any further action. The German Federal Network Agency (Bundesnetzagentur, BNetzA) principally supports net neutrality, but instead of safeguarding it legally, the national regulator favors new business models based on price discrimination and differentiated classes of service as long as ISPs are transparent about their policies and give customers a choice.[81] The lack of concrete action on the part of the German government has also encountered criticism, especially when two of the market-leading telecommunications companies, Vodafone and Deutsche Telekom, announced new terms for customer contracts. Telekom, for example, announced that it would place limits on customers’ high-speed data transfer per month, but that its own services, such as television and movie-streaming services, would not count toward customers’ data transfer limits.[82] Treating in-house services differently in particular has raised concerns in terms of competition and consumer protection by governmental representatives who also declared that these practices should be scrutinized more closely.[83]

Germany is home to a vibrant internet community and blogosphere. Local and international media outlets and news sources are generally accessible and represent a diverse range of opinions.[84] Policies affecting internet regulation, data protection, or surveillance enjoy increasing public attention and media coverage. Internet-related topics are growing increasingly popular, also due to increased attention among political institutions. All political parties now have internet experts. Whereas in early 2012 the German Pirate Party could continue its remarkable success in state elections,[85] their popularity has recently been decreasing.[86] After three years of work, the multi-stakeholder Commission of Inquiry (Enquete-Kommission) on Internet and Digital Society[87] released its final report in April 2013.[88] Among other things, the commission calls for the establishment of a permanent internet commissioner at the federal level.[89]

In 2012, an example of the growing discursive power of the internet community revolved around a discussion which started on Twitter. Under the hashtag #aufschrei (“outcry”), people started to tweet about everyday sexism against women. The discussion soon left the Twitter-sphere and became a nation-wide societal debate.[90] Additionally, activists are waging online campaigns in the fight for net neutrality[91] against the telecoms Vodafone[92] and Deutsche Telekom, and have already been partly successful.[93] At the same time, multiple laws that restrict internet freedom, such as some of the amendments to the telecommunication act, were passed despite strong criticisms by a broad coalition of societal actors.

Violations of User Rights:

Germany is considered to be one of the most privacy-conscious countries; however, the 2012 amendments to the telecommunication act included a provision which allows more public agencies access to user data, and lowers the threshold for this access from investigations into serious crimes to misdemeanors and administrative offences, raising concerns about the trajectory for privacy protections in the country.

The German Basic Law guarantees freedom of expression and freedom of the media (Article 5) as well as the privacy of letters, posts, and telecommunications (Article 10). These articles generally safeguard offline as well as online communication. In addition, a groundbreaking 2008 ruling by the Federal Constitutional Court established a new fundamental right warranting the “confidentiality and integrity of information technology systems” grounded in the general right of personality guaranteed by Article 2 of the Basic Law.[94]

These rights were contested in the political aftermath of the September 2001 terrorist attacks in the United States (cf. the 2001 Act for Limiting the Secrecy of Letters, the Post, and Telecommunications).[95] However, after several cases concerning the infringement of the rights of journalists, a Federal Constitutional Court ruling in February 2007 set a strong precedent for the protection of journalists’ sources.[96] On March 29, 2012, in response to this ruling, the Federal Parliament issued the Act on Strengthening Press Freedom (Gesetzes zur Stärkung der Pressefreiheit im Straf- und Strafprozessrecht, PrStG), which protects journalistic sources and establishes high barriers for searching and seizing journalists’ property.[97] In addition to the aforementioned rulings on the liability privilege of providers, these developments constitute a trend of strengthening media freedom in Germany. In particular, the rulings of the Federal Constitutional Court continue to promote freedom of expression.

Online journalists are generally granted the same rights and protections as journalists in the print or broadcast media. Although the functional boundary between journalists and bloggers is starting to blur, the German Federation of Journalists maintains professional boundaries by issuing press cards only to full-time journalists. Similarly, the German Code of Criminal Procedure grants the right to refuse testimony solely to individuals who have “professionally” participated in the production or dissemination of journalistic materials.[98]

The German Criminal Code (StGB) includes a paragraph on “incitement to hatred” (§ 130 StGB), which penalizes calls for violent measures against minority groups and assaults on human dignity.[99] The German people mostly regard this provision as legitimate, particularly because it is generally applied in the context of holocaust denials.[100]

Website owners or bloggers are not required to register with the government. However, due to clauses in both the Telemedia Act (Telemediengesetz, TMG) and the Interstate Treaty on Broadcasting (Rundfunkstaatsvertrag, RFStV), most websites and blogs need to have an imprint naming the person in charge and contact address. The anonymous use of e-mail services, online platforms, wireless internet access points, and public telephone booths are legal. Although the Federal Minister of the Interior and some other members of the conservative parties have repeatedly expressed their disapproval of anonymity on the internet,[101] this situation is not likely to change. With explicit references to the constitution, several courts have repeatedly affirmed the right to anonymity and its necessity for the exercise of the constitutional right to freedom of expression.[102]

The right of anonymity notwithstanding, the telecommunication act of 2004 stipulates that the purchase of SIM cards requires registration, including the purchaser’s full name, address, international mobile subscriber identity (IMSI), and international mobile station equipment identity (IMEI) numbers if applicable.[103] In this way, the growing penetration of mobile internet threatens to further erode the possibility of anonymous communication.

The use of proxy servers is common in Germany, but more for the purpose of circumventing copyright restrictions than to avoid censorship. There are no figures available for the extent of their use.

Excessive interceptions by secret services formed the basis of a 2008 Federal Constitutional Court ruling, which established a new fundamental right warranting the “confidentiality and integrity of information technology systems.” The court held that preventive covert online searches are only permitted “if factual indications exist of a concrete danger” that threatens “the life, limb, and freedom of the individual” or “the basis or continued existence of the state or the basis of human existence.” The court also established that any covert infiltration of information technology systems requires a court order and that statutes permitting such infiltrations must “contain precautions in order to protect the core area of private life.”[104] Based on this Constitutional Court ruling, the Federal Parliament passed an act in 2009 authorizing the Federal Bureau of Criminal Investigation (BKA) to conduct covert online searches to prevent terrorist attacks on the basis of a warrant.[105] In addition to online searches, the act authorizes the BKA to employ methods of covert data collection, including dragnet investigations, surveillance of private residences, and the installation of a program on a suspect’s computer that intercepts communications at their source.

The amended telecommunication act of 2013 reregulates the “stored data inquiry” requirements (Bestandsdatenauskunft).[106] Under the new provision, approximately 250 registered public agencies, among them the police and customs authorities, are authorized to request from ISPs both contractual user data and sensitive data, such as PINs, passwords, and dynamic IP addresses. While the 2004 law restricted the disclosure of sensitive user data to criminal offenses, the amended act extends it to cases of misdemeanors or administrative offenses. Additionally, whereas the disclosure of sensitive data and dynamic IP addresses normally requires an order by the competent court, contractual user data (such as the user’s name, address, telephone number, and date of birth) can be obtained through automated processes. The requirement of judicial review (Richtervorbehalt) has been subject to two empirical studies, both of which found that in the majority of cases a review by a judge does not take place.[107] Data protection experts criticize the lower threshold for intrusions of citizens’ privacy as disproportionate. Two members of the Pirate Party and a lawyer who had already filed the complaint against the data retention law in 2007 have filed a new constitutional complaint against the telecommunication act.[108]

Telecommunications interception by state authorities for reasons of criminal prosecution is regulated by the code of criminal procedure (StPO) and is understood as a serious interference with basic rights. It may only be employed for the prosecution of serious crimes for which specific evidence exists and when other, less-intrusive investigative methods are likely to fail. According to recent statistics published by the Federal Office of Justice, there were a total of 21,118 orders for telecommunications interceptions in 2011, of which 1,345 concerned internet communications.[109] This is an increase of about 35 percent compared to 2010. There were also a total of 14,153 orders requesting internet traffic data in 2011.[110] Surveillance measures conducted by the secret services under the Act for Limiting the Secrecy of Letters, the Post, and Telecommunications exceed these figures. For 2011, the competent Parliamentary Control Panel reported that a total of 2.8 million telecommunications – most of them e-mail – were scanned, of which only 290 were considered relevant. [111] The e-mail contents were scanned for keywords relating to certain “areas of risk,” namely international terrorism, proliferation of arms and other military technology, and human smuggling.[112]

For purposes of criminal prosecution, since 2009, the German police have used Trojan-like pieces of software to spy on criminal suspects. The Trojan, programmed by the commercial manufacturer DigiTask, not only enables the police to legally eavesdrop on encrypted conversations but also has the potential for a wider range of actions, some of which are illegal. Among these illegal encroachments are the searching of digital devices, logging of keystrokes, and planting of “backdoors” that allow for the remote installation of additional software or insertion of false evidence. Five German states admitted to the use of the “Federal Trojan” (Bundestrojaner) but denied the use of any illegal functions.[113] Due to the considerable public criticism following the “Bundestrojaner affair,” the Federal Police decided to develop in-house capacity to produce its own lawful intrusion software. More controversially, the Federal Police have purchased FinFisher/FinSpy IT, another commercial spyware, for the “transition period” until its own solution is operational.[114]

Recent evidence shows that German police authorities regularly make use of radio cell queries for criminal investigation.[115] In the states of Berlin and Saxony, for example, radio cell queries were used in 2012 in the context of criminal investigations for which millions of data records were collected without informing the individuals affected, as required by law.[116] The extensive use of radio cell queries has raised questions of proportionality.[117]

A constitutional complaint filed by ISPs in 2012 successfully challenged the existing provisions that mandated ISPs to retain customer data and provide information on users' contractual data, PIN numbers, keys, and passwords to law enforcement agencies and secret services upon request.[118] The Federal Constitutional Court held that these provisions breach the individual right of self-determination over personal information of the Basic Law. The Federal Constitutional Court particularly criticized as partly unconstitutional the duty of telecommunications providers to provide information about passwords and other access protection measures.[119]

Following the EU Data Retention Directive, the 2007 Law on the Revision of Telecommunications Monitoring and other Covert Investigation Measures and on the Implementation of Directive 2006/24/EC mandated that ISPs and mobile phone companies have to retain traffic data for six to seven months to facilitate criminal investigations. A constitutional complaint led to the repeal of the national data retention provisions in 2010.[120] The German government has not transposed the EU Data Retention Directive within the stipulated timeframe into German law and does not intend to do so.[121] On May 31, 2012, the European Commission filed a complaint against the German government due to non-compliance, proposing that the court impose a daily penalty payment of € 315,036.54.[122]

A 2012 survey by the German Federal Network Agency shows that, in the absence of a legal obligation for data retention, the four major mobile communications providers in Germany continue to store user data for a period of between 7 and 210 days.[123]

German authorities also request user data from internet content providers. From July–December 2012, Google reported an increasing number of requests (1,550 compared to 1,426 requests for the same period in 2011), putting Germany at number four on the list of the countries that request the most user data, behind the United States, India, and France.[124] Microsoft reported 8,419 requests, affecting 13,226 accounts. In 7,088 of these cases (84.2 percent), at least “some customer data” was disclosed. Skype data has been listed separately: in 2012, there were 686 requests, affecting 2,646 accounts.[125]

There are no legal obligations to report security breaches. However, according to the Federal Ministry of Interior, approximately 1,100 cyberattacks took place in 2012. As a response to these estimates, the ministry has developed a “Cyber Security Strategy for Germany,” thereby following the global trend to improve the security of information networks in a proactive manner.[126] On June 16, 2011, Germany´s Interior Minister Hans-Peter Friedrich introduced the new National Cyber Response Centre tasked to optimize the cooperation between several federal authorities and agencies such as the Federal Office for Information Security (BSI) and the Federal Office for the Protection of the Constitution (BfV). The Cyber Response Centre is a sub-unit of the Ministry of Interior with 10 permanent employees.[127] In addition, a National Cyber Security Council was founded in 2011. It consists of government officials and associated business representatives who meet at least three times a year. Academic experts can be invited if required.[128] In March 2013, the Federal Ministry of the Interior proposed a law to improve the security of information networks which would have made it a mandatory obligation for telecommunication firms and critical infrastructure operators to report security breaches to the Federal Office for Information Security (BSI).[129] The Federal Ministry of Economics and Technology blocked the legislative draft in the early consultation phase. Digital rights advocates criticized the legislative proposal because it did not include a notification of users in case of security breaches. Industry associations, on the other hand, feared potential costs and bureaucratic burdens of notifying the Federal Office for Information Security.[130]

In June 2012, the media reported the establishment of a new cyberwarfare unit within the German military forces (Bundeswehr). However, the unit is said to be poorly staffed compared to its international allies.[131]

[15] TÜV Rheinland Consulting, 2012, p. 4. With the allocation of licenses for the next generation mobile standard LTE, the Bundesnetzagentur has obliged the network providers to build the new infrastructure in rural areas first before installing it cities.

[35] Due to substantial criticism by activists and NGOs that provoked an intense political debate, the 2010 law on blocking websites containing child pornography, the Access Impediment law (Zugangserschwerungsgesetz), never came into effect and was finally repealed by the German parliament in December 2011.

[36] Collecting societies are private organizations at the national level in Germany authorized by the Copyright Administration Act. Although they act under the supervision of the German Patent and Trademark Office, they belong to the private sector. The foundation requires an exemption from the antitrust laws by the Federal Cartel Office.

[37] Compared to 0.9 per cent in the United States and ca. 1 per cent in Austria and Switzerland. Cf. sueddeutsche.de, “Diese Kultur ist in Deutschland leider nicht verfügbar” [This culture is not available in Germany], January 28, 2013, http://sz.de/1.1584813

[46] The group ‘Besseres Hannover’ [Better Hanover] has been monitored by the German police for some time and finally banned by the state’s interior ministry. Cf. Twitter Inc., “Transparency Report. Removal Requests July 1 – December 31, 2012”, 2013, https://transparency.twitter.com/removal-requests-ttr2.

[54] According to the German Report for the first and second half of 2012 (cf. Fn. 51) youth protection authorities requested a total of 451 videos to be removed from YouTube.

[55] The legal framework regulating media protection of minors in particular consists of the Law for the protection of children and youth (“Jugendschutzgesetz”, JuSchG) of the federal government and the Interstate Treaty on the Protection of Minors in the Media (short “Jugendmedienschutzstaatsvertrag”, JMStV).

[61] The BGH in particular has developed the principles of limited liability of host providers: BGH [Federal Court of Justice], judgment of October 25, 2011, Az. VI ZR 93/10.

[62] Liability privilege means that information intermediaries on the internet such as ISPs are not responsible for the content their customers transmit. Secondary or indirect liability applies when intermediaries contribute to or facilitate wrongdoings of their customers.

[80] In particular: § 41a TKG, http://dejure.org/gesetze/TKG/41a.html. The clause simply authorizes the government to define basic requirements for non-discriminatory data transfer and content access, and leaves it to the Bundesnetzagentur to determine minimum quality of service standards -- a path the regulator is not likely to go.

[81] Cf. minutes of the Expert Meeting on net neutrality of the Parliamentary Inquiry Commission, October 8, 2010, http://bit.ly/1dOvaQI.

[93] The Federation of German Consumer Organizations (vzbv), a non-governmental organization for consumer protection, admonished both companies for disseminating misleading information in their terms and inadmissible contracts. Cf. http://www.vzbv.de/10432.htm ; http://bit.ly/16LO8Xh

[95] This Act enables secret services to intercept, monitor, and record private communications, including the surveillance of journalists under specific conditions. It also restricts journalistic privileges such as the right to refuse to give evidence. “Gesetz zur Beschränkung des Brief-, Post- und Fernmeldegeheimnisses” [Law on the restriction of correspondence, posts and telecommunications secrecy], http://www.gesetze-im-internet.de/g10_2001/index.html.

[111] These are aggregated figures related to the three areas of risk in which scannings took place according to the report of the Parliamentary Control Panel. Cf. Deutscher Bundestag, Drucksache 17/12773, March 14, 2013, p.7, http://dip21.bundestag.de/dip21/btd/17/127/1712773.pdf. Please note that the annually presented numbers do not refer to the last year but to the year before, i.e. 2011. The Parliamentary Control Panel periodically reports to the parliament and nominates the members of the G10 Commission. The G10 Commission controls surveillance measures and is also responsible for overseeing telecommunications measures undertaken on the basis of the Counterterrorism Act of 2002 and the Amendment Act of 2007. See also: http://www.bundestag.de/htdocs_e/bundestag/committees/bodies/scrutiny/index.html.

[115] Berlin Commissioner for Data Protection and Freedom of Information, Alexander Dix: “Abschlussbericht zur rechtlichen Überprüfung von Funkzellenabfragen [Report on the legal examination of radio cell queries], p. 16, http://www.datenschutz-berlin.de/attachments/896/Pr__fbericht.pdf?1346753690 . Data are currently available for the states of Berlin and Saxony. In both states radio cell queries were used in 2012 for hundreds of lawsuits for which millions of data records were collected.